The DoJ is using a boring procedure to secure the right to unleash malware on the internet

From the Boing Boing Shop

Follow Us

The upcoming Rule 41 modifications to US Criminal Justice procedure underway at the Department of Justice will let the FBI hack computers in secret, with impunity, using dangerous tools that are off-limits to independent scrutiny -- all without Congressional approval and all at a moment at which America needs its law-enforcement community to be strengthening the nation's computers, not hoarding and weaponizing defects that put us all at risk.

A power-trio -- Senator Ron Wyden; security ninja Matt Blaze; and engineer/mathematician/social scientist Susan Landau -- have published a joint op-ed in Wired sounding the alarm about the use of an obscure, technical, fantastically boring procedure to radically expand the powers of American law enforcement under cover of dullness.

But the results will be anything but dull. Even with advanced testing and scrutiny, the construction of "cyberweapons" is tricky business, nearly impossible to get right. The FBI's history in this area does not inspire confidence: one FBI agent testified that he ascertained that a cyberweapon was safe because he tried it on his home PC and couldn't see anything wrong with it. This is not sufficient testing for technology that could end up infecting hospitals, or cars, or voting machine, or insulin pumps, or nuclear reactors.

A bipartisan Congressional effort to stop this is now underway: the Stop Mass Hacking Act, which will require the DoJ to get Congressional approval before giving itself these sweeping, deadly new powers.

In the meantime, visit EFF's No Global Warrants site to put your own lawmakers on notice about this plan.

No one believes the government is setting out to damage victims’ computers. But history shows just how hard it is to get hacking tools right. Indeed, recent experience shows that tools developed by law enforcement have actually been co-opted and used by criminals and miscreants. For example, the FBI digital wiretapping tool Carnivore, later renamed DCS 3000, had weaknesses (which were eventually publicly identified) that made it vulnerable to spoofing by unauthorized parties, allowing criminals to hijack legitimate government searches. Cisco’s Law Enforcement access standards, the guidelines for allowing government wiretaps through Cisco’s routers, had similar weaknesses that security researchers discovered.

The government will likely argue that its tools for going after large botnets have yet to cause the kind of unintended damage we describe. But it is impossible to verify that claim without more transparency from the agencies about their operations. Even if the claim is true, today’s botnets are simple, and their commands can easily be found online. So even if the FBI’s investigative techniques are effective today, in the future that might not be the case. Damage to devices or files can happen when a software program searches and finds pieces of the botnet hidden on a victim’s computer. Indeed, damage happens even when changes are straightforward: recently an anti-virus scan shut down a device in the middle of heart surgery.

Iowa State Representative Gary Carlson [R-91/gary.carlson@legis.iowa.gov] introduced House Study Bill 185, co-drafted by lobbyists for Midamerican Energy, one of Iowa's regional energy monopolists, with a long history of trying to subvert the "net metering" rules that allow Iowans to put solar panels on their roofs and sell power back into the grid when they are […]

It's not just Amazon and Apple that expect massive taxpayer subsidies in exchange for locating physical plant in your town: when Google builds a new data-center, it does so on condition of multimillion-dollar "incentives" from local governments -- but Google also demands extraordinary secrecy from local officials regarding these deals, secrecy so complete that city […]

Use a single password for every website, and you’re compromising your security. Use a different one each time, and you’re bound to lose track of them. The solution? RoboForm Everywhere, a catch-all tool that will not only manage the passwords on every site you visit but generate better ones. As a simple password database, it’s […]

Just a reminder: Print isn’t dead. And now that printers are becoming as portable as cell phones, it might be around for quite some time. Enter the MEMOBIRD Mobile Thermal Printer, a mini-printer that is versatile, portable – and most importantly, never needs a refill on ink or toner. Measuring just a few inches around, […]

What do Facebook, Twitter, YouTube and Google all have in common? Somewhere in their framework, they all use MySQL, that most versatile (and free!) of database management systems. And they’re not alone. If your company or the one you’d like to work for wrangles data (and who doesn’t?), they’re going to need someone with a […]